source: trunk/third/ssh/osfc2.c @ 12646

Revision 12646, 7.1 KB checked in by danw, 26 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r12645, which included commits to RCS files with non-trunk default branches.
Line 
1/*
2
3osfc2.c
4
5Author: Christophe Wolfhugel
6
7Copyright (c) 1995 Christophe Wolfhugel
8
9Free use of this file is permitted for any purpose as long as
10this copyright is preserved in the header.
11
12This program implements the use of the OSF/1 C2 security extensions
13within ssh. See the file COPYING for full licensing informations.
14
15*/
16
17/*
18 * $Id: osfc2.c,v 1.1.1.4 1999-03-08 17:43:22 danw Exp $
19 * $Log: not supported by cvs2svn $
20 * Revision 1.11  1998/05/23  20:31:56  kivinen
21 *      Added osf1c2_check_account_and_terminal function.
22 *
23 * Revision 1.10  1998/05/11  21:26:49  kivinen
24 *      Moved prpasswd stuff to be inside if (pr).
25 *
26 * Revision 1.9  1998/05/11 18:53:16  kivinen
27 *      Fixed osf1 resource code, by moving resoure limit
28 *      initialization to initialize_osf_security function.
29 *      osf1c2_getprpwent function is only called if password
30 *      authentication is used, and because of this all limits
31 *      contained zero. This caused sshd client immediately exit
32 *      because of cpu resource limit exceeded.
33 *
34 * Revision 1.8  1998/04/30 01:53:57  kivinen
35 *      Fixed osflim handling so that now it allows setting resource
36 *      to 0.
37 *
38 * Revision 1.7  1998/03/30 21:39:40  kivinen
39 *      Added system default lock check.
40 *
41 * Revision 1.6  1998/03/27 16:58:42  kivinen
42 *      Fixed password expire code.
43 *
44 * Revision 1.5  1998/01/14 16:39:10  kivinen
45 *      Added check that getespwnam function exists.
46 *
47 * Revision 1.4  1998/01/02 06:19:31  kivinen
48 *      Added account locking and expiration support. Added resource
49 *      limit setting.
50 *
51 * Revision 1.3  1997/01/08 13:22:36  ttsalo
52 *      A fix for OSF/1 passwords from
53 *      Steve VanDevender <stevev@hexadecimal.uoregon.edu> merged.
54 *
55 * Revision 1.2  1996/10/29 22:43:02  kivinen
56 *      log -> log_msg.
57 *
58 * Revision 1.1.1.1  1996/02/18 21:38:11  ylo
59 *      Imported ssh-1.2.13.
60 *
61 * Revision 1.3  1995/09/10  23:27:28  ylo
62 *      Eliminated duplicate #includes.
63 *
64 * Revision 1.2  1995/09/10  23:03:56  ylo
65 *      Added copyright.
66 *
67 * Revision 1.1  1995/09/10  22:41:01  ylo
68 *      Support functions for OSF/1 C2 extended security
69 *      authentication.
70 *
71 */
72
73#include "includes.h"
74#include "ssh.h"
75#include <sys/security.h>
76#include <prot.h>
77#include <sia.h>
78
79static int      c2security = -1;
80static int      crypt_algo;
81long            osflim[8];
82
83void
84initialize_osf_security(int ac, char **av)
85{
86  FILE *f;
87  char buf[256];
88  char siad[] = "siad_ses_init=";
89  int i;
90
91  for (i = 0; i < 8; i++)
92    osflim[i] = -1;
93
94  if (access(SIAIGOODFILE, F_OK) == -1)
95    {
96      /* Broken OSF/1 system, better don't run on it. */
97      fprintf(stderr, "%s does not exist. Your OSF/1 system is probably broken.\n",
98              SIAIGOODFILE);
99      exit(1);
100    }
101  if ((f = fopen(MATRIX_CONF, "r")) == NULL)
102    {
103      /* Another way OSF/1 is probably broken. */
104      fprintf(stderr, "%s unreadable. Your OSF/1 system is probably broken.\n",
105              MATRIX_CONF);
106      exit(1);
107    }
108 
109  /* Read matrix.conf to check if we run C2 or not */
110  while (fgets(buf, sizeof(buf), f) != NULL)
111    {
112      if (strncmp(buf, siad, sizeof(siad) - 1) == 0)
113        {
114          if (strstr(buf, "OSFC2") != NULL)
115            c2security = 1;
116          else if (strstr(buf, "BSD") != NULL)
117            c2security = 0;
118          break;
119        }
120    }
121  fclose(f);
122  if (c2security == -1)
123    {
124      fprintf(stderr, "C2 security initialization failed : could not determine security level.\n");
125      exit(1);
126    }
127  log_msg("OSF/1: security level : %s", c2security == 0 ? "BSD" : "C2");
128  if (c2security == 1)
129    set_auth_parameters(ac, av);
130}
131
132const char *osf1c2_check_account_and_terminal(const char *username,
133                                              const char *terminal)
134{
135  if (c2security == 1)
136    {
137      struct pr_passwd *pr = getprpwnam((char *) username);
138      if (pr)
139        {
140          if (pr->uflg.fg_lock == 1)
141            {
142              if (pr->ufld.fd_lock == 1)
143                {
144                  return "\n\tYour account is locked.\n\n";
145                }
146            }
147          else
148            if (pr->sflg.fg_lock == 1 && pr->sfld.fd_lock == 1)
149              {
150                return "\n\tYour account is locked.\n\n";
151              }
152               
153          if (pr->uflg.fg_retired)
154            {
155              if (pr->ufld.fd_retired)
156                {
157                  return "\n\tYour account has been retired.\n\n";
158                }
159            }
160          else
161            if (pr->sflg.fg_retired && pr->sfld.fd_retired)
162              {
163                return "\n\tYour account has been retired.\n\n";
164              }
165         
166#ifdef HAVE_TIME_LOCK
167          if (time_lock(pr))
168            {
169              return "\n\tWrong time period to log into this account.\n\n";
170            }
171#endif /* HAVE_TIME_LOCK */
172          if (pr->uflg.fg_template)
173            {
174#ifdef HAVE_GETESPWNAM
175              struct es_passwd *es = getespwnam(pr->ufld.fd_template);
176              if (es)
177                {
178#ifdef HAVE_GETESTCNAM
179                  if (terminal != NULL)
180                    {
181                      struct es_term *term = getestcnam(terminal);
182                      if (term)
183                        {
184                          if (auth_for_terminal_es(es, term))
185                            {
186                              return "\n\tNot authorized to login from that terminal.\n\n";
187                            }
188                        }
189                    }
190#endif /* HAVE_GETESTCNAM */
191#ifdef HAVE_LOCKED_OUT_ES
192                  if (locked_out_es(es))
193                    {
194                      return "\n\tYour account has been locked out.\n\n";
195                    }
196#endif /* HAVE_LOCKED_OUT_ES */
197                 
198                  /** Login resources **/
199                  if (es->uflg->fg_rlim_cpu == 1)
200                    osflim[0] = es->ufld->fd_rlim_cpu;
201                  if (es->uflg->fg_rlim_fsize == 1)
202                    osflim[1] = es->ufld->fd_rlim_fsize;
203                  if (es->uflg->fg_rlim_data == 1)
204                    osflim[2] = es->ufld->fd_rlim_data;
205                  if (es->uflg->fg_rlim_stack== 1)
206                    osflim[3] = es->ufld->fd_rlim_stack;
207                  if (es->uflg->fg_rlim_core == 1)
208                    osflim[4] = es->ufld->fd_rlim_core;
209                  if (es->uflg->fg_rlim_rss == 1)
210                    osflim[5] = es->ufld->fd_rlim_rss;
211                  if (es->uflg->fg_rlim_nofile == 1)
212                    osflim[6] = es->ufld->fd_rlim_nofile;
213                  if (es->uflg->fg_rlim_vmem == 1)
214                    osflim[7] = es->ufld->fd_rlim_vmem;
215                }
216#endif /* HAVE_GETESPWNAM */
217            }
218        }
219    }
220  return NULL;
221}
222
223int
224osf1c2_getprpwent(char *p, char *n, int len)
225{
226  time_t pschg, tnow;
227
228  if (c2security == 1)
229    {
230      struct es_passwd *es;
231      struct pr_passwd *pr = getprpwnam(n);
232      if (pr)
233        {
234          extern int days_before_password_expires;
235         
236          strncpy(p, pr->ufld.fd_encrypt, len);
237          crypt_algo = pr->ufld.fd_oldcrypt;
238
239          tnow = time(NULL);
240          if (pr->uflg.fg_schange == 1)
241            pschg = pr->ufld.fd_schange;
242          else
243            pschg = 0;
244          if (pr->uflg.fg_template == 0)
245            {
246              /** default template, system values **/
247              if (pr->sflg.fg_lifetime == 1)
248                if (pr->sfld.fd_lifetime > 0 &&
249                    pschg + pr->sfld.fd_lifetime < tnow)
250                  return 1;
251              if (pr->sflg.fg_lifetime && pr->sfld.fd_lifetime > 0)
252                days_before_password_expires =
253                  (pschg + pr->sfld.fd_lifetime - tnow) / 86400;
254            }
255          else                      /** user template, specific values **/
256            {
257#ifdef HAVE_GETESPWNAM
258              es = getespwnam(pr->ufld.fd_template);
259              if (es)
260                {
261                  if (es->uflg->fg_expire == 1)
262                    if (es->ufld->fd_expire > 0 &&
263                        pschg + es->ufld->fd_expire < tnow)
264                      return 1;
265                  if (es->uflg->fg_expire == 1 &&
266                      es->ufld->fd_expire > 0)
267                    days_before_password_expires =
268                      (pschg + es->ufld->fd_expire - tnow) / 86400;
269                 
270                }
271#endif /* HAVE_GETESPWNAM */
272            }
273        }
274    }
275  else
276    {
277      struct passwd *pw = getpwnam(n);
278      if (pw)
279        strncpy(p, pw->pw_passwd, len);
280    }
281  return 0;
282}
283
284char *
285osf1c2crypt(const char *pw, char *salt)
286{
287   if (c2security == 1) {
288     return(dispcrypt(pw, salt, crypt_algo));
289   } else
290     return(crypt(pw, salt));
291}
Note: See TracBrowser for help on using the repository browser.